Re: IPTables rules and hosts that use DHCP

On Thu, 27 Dec 2007, in the Usenet newsgroup comp.os.linux.misc, in article
<pan.2007.12.27.13.58.10@xxxxxxxxxxxxxx>, K. Jennings wrote:

I have a set of IPTables rules to keep SSH attacks at bay - you know,
to prevent script kiddies from hammering my servers with oodles of
password authentication requests with all sorts of passwords and/or
usernames. Essentially, the rules blacklist hosts that attempt to
connect more than three times within a 30 second time interval. I also
have an IPTables rule that exempts some hosts from such constraints -
that is, SSH connections from such hosts are accepted at any
connection rate.

Do you really need to allow access to the entire world?

The proble that I have is that one of those hosts uses DHCP, and its
IP address changes with time. I use DynDNS services so that I can use
the same name (let's call it A) for that host, with the guarantee that
it will always resolve to the right IP address. However, I notice that
when I use the name A in my IPTables rule, when checking out the rule
with iptables -L the name actually used is the one assigned to the
particular IP address in use at the time the rule was defined - which
is fine until the host I am interested in changes its IP address.

I'm assuming that "A" is some remote host you want to allow. There
really isn't a dynamic way out of things. What I've been doing is to
allow access to the pool of addresses that the allowed host may get
assigned. For example, my sister and I act as backup servers for
each other (nightly backup diffs get sent to the "remote" server),
and I know she will get an address out of a /20 range (lets say
198.18.32.0 - 198.18.47.255), so I allow access from that range to
the port where the backup service is listening. I allow other access
to a different service to a /24 for a similar reason. This doesn't
prevent the zombie problem, but it sure knocks back the number of
attempts that I see.

Is there a way around this? Unfortunately, reconfiguring my SSH
servers so that password authentication is not accepted is not an
option.

Do you HAVE to have your SSH server on port 22, or can you move it
to a port less frequented by zombies/skript_kiddiez? Your clients
do have to be aware of the "non-standard" port, but (depending on the
tool they are using to access) this is USUALLY trivial.

Old guy
.

Relevant Pages

  • Re: [SLE] HOWTO block a host with SuSEFirewall2?
    ... > I have a problem on one of my servers. ... A specific host has been ... > attacking my server via ssh for the past 5 hours. ... I simply reassinged ssh to another port number that is far enough out of the ...
    (SuSE)
  • There are currently no logon servers available
    ... I recently added several Windows 2003 servers to my 2000AD. ... joined the domain fine and I can add domain users to resource ACL's however ... it will not resolve however pinging by only the host portion of the name it ... The redir is bound to 1 NetBt transport. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Mail not getting thru the domain
    ... I wonder why Justin would have to host his own DNS servers? ... > unless that website posts replies back to the original Microsoft forum. ...
    (microsoft.public.windows.server.dns)
  • Re: How to unable the use of tainted mode in a CGI script ?
    ... script and have it fail). ... Did you ask your host to clarify how/why ... hosting provider that has a better idea of how this works. ... Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers ...
    (comp.lang.perl.misc)
  • Re: IPTables rules and hosts that use DHCP
    ... authentication requests with all sorts of passwords and/or usernames. ... fine until the host I am interested in changes its IP address. ... my sister and I act as backup servers for each ... Do you HAVE to have your SSH server on port 22, ...
    (comp.os.linux.misc)